diff options
author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2020-09-25 16:31:42 +0200 |
---|---|---|
committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2020-10-01 17:49:31 +0200 |
commit | 53393c894dd4ab944d88acd4e7070714342d1597 (patch) | |
tree | 168cdd120b38474dfc1b41d0a4302327da8d2469 /docs | |
parent | 28add648a8307d088d2997f7b722770af6a875c9 (diff) | |
download | systemd-53393c894dd4ab944d88acd4e7070714342d1597.tar.gz |
Look at /etc/login.defs for the system_max_[ug]id values
It makes little sense to make the boundary between systemd and user guids
configurable. Nevertheless, a completely fixed compile-time define is not
enough in two scenarios:
- the systemd_uid_max boundary has moved over time. The default used to be
500 for a long time. Systems which are upgraded over time might have users
in the wrong range, but changing existing systems is complicated and
expensive (offline disks, backups, remote systems, read-only media, etc.)
- systems are used in a heterogenous enviornment, where some vendors pick
one value and others another.
So let's make this boundary overridable using /etc/login.defs.
Fixes #3855, #10184.
Diffstat (limited to 'docs')
-rw-r--r-- | docs/UIDS-GIDS.md | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/docs/UIDS-GIDS.md b/docs/UIDS-GIDS.md index 67e6d083ff..e289a9b68e 100644 --- a/docs/UIDS-GIDS.md +++ b/docs/UIDS-GIDS.md @@ -171,10 +171,11 @@ pick — given that 64K UIDs are assigned to each container according to this allocation logic, the maximum UID used for this range is hence 1878982656+65535=1879048191.) -Note that systemd does not make any of these values runtime-configurable. All -these boundaries are chosen during build time. That said, the system UID/GID -boundary is traditionally configured in /etc/login.defs, though systemd won't -look there during runtime. +Systemd has compile-time default for these boundaries. Using those defaults is +recommended. It will nevertheless query `/etc/login.defs` at runtime, when +compiled with `-Dcompat-mutable-uid-boundaries=true` and that file is present. +Support for this is considered only a compatibility feature and should not be +used except when upgrading systems which were creating with different defaults. ## Considerations for container managers |